User`s manual
293
DWS-1008 User’s Manual
D-Link Systems, Inc.
Conguring AAA for Network Users
The following command congures a MAC authentication rule that matches on the third-party
AP’s MAC address. Because the AP is connected to the switch on a wired authentication
port, the wired option is used.
DWS-1008# set authentication mac wired aa:bb:cc:01:01:01 srvrgrp1
success: change accepted.
The following command maps SSID mycorp to packets received on port 3 or 4, using 802.1Q
tag value 104:
DWS-1008# set radius proxy port 3-4 tag 104 ssid mycorp
success: change accepted.
Enter a separate command for each SSID, and its tag value, you want the switch to
support.
The following command congures a RADIUS proxy entry for a third-party AP RADIUS
client at 10.20.20.9, sending RADIUS trafc to the default UDP ports 1812 and 1813 on the
DWS-1008 switch:
DWS-1008# set radius proxy client address 10.20.20.9 key radkey1
success: change accepted.
The IP address is the AP’s IP address. The key is the shared secret congured on the
RADIUS servers. MSS uses the shared secret to authenticate and encrypt RADIUS
communication.
The following command congures a proxy authentication rule that matches on all
usernames associated with SSID mycorp. MSS uses RADIUS server group srvrgrp1 to
proxy RADIUS requests and hence to authenticate and authorize the users.
DWS-1008# set authentication proxy ssid mycorp ** srvrgrp1
To verify the changes, use the show cong area aaa command.
Conguring Authentication for Non-802.1X Users of a Third-Party AP
with Tagged SSIDs
To congure MSS to authenticate non-802.1X users of a third-party AP, use the same
commands as those required for 802.1X users. Additionally, when conguring the wired
authentication port, use the auth-fall-thru option to change the fallthru authentication type
to last-resort.
On the RADIUS server, congure username last-resort-ssid, depending on the fallthru
authentication type you specify for the wired authentication port.