Manualshelf

System information

ManualsBrandsD-Link ManualsComputer equipmentDWS-1008
131132133134135136137138139140
136
DWS-1008 CLI Reference Guide
D-Link Systems, Inc.
AAA Commands
• eap-tls - EAP with Transport Layer Security (TLS):
• Provides mutual authentication, integrity-protected
negotiation, and key exchange
• Requires X.509 public key certificates on both sides of
the connection
• Provides encryption and integrity checking for the
connection
• Cannot be used with RADIUS server authentication
• peap-mschapv2 - Protected EAP (PEAP) with Microsoft
Challenge Handshake Authentication Protocol version 2
(MS-CHAP-V2). For wireless clients:
• Uses TLS for encryption and data integrity checking
and server-side authentication
• Provides MS-CHAP-V2 mutual authentication
• Only the server side of the connection needs a
certificate.
The wireless client authenticates using TLS to set up an
encrypted session. Then MS-CHAP-V2 performs mutual
authentication using the specified AAA method.
pass-through - MSS sends all the EAP protocol processing to a
RADIUS server.
method1 At least one and up to four methods that MSS uses to handle
method2 authentication. Specify one or more of the following methods in
method3 priority order. MSS applies multiple methods in the order you
method4 enter them.
A method can be one of the following:
• local - Uses the local database of usernames and user
groups on the switch for authentication.
• server-group-name - Uses the defined group of
RADIUS servers for authentication. You can enter up to
four names of existing RADIUS server groups as
methods.
RADIUS servers cannot be used with the EAP-TLS
protocol. For more information, see “Usage.
Defaults: By default, authentication is unconfigured for all clients with network access through
AP ports or wired authentication ports on the switch. Connection, authorization, and
accounting are also disabled for these users. Bonded authentication is disabled by
default.
Access: Enabled.
Usage: You can configure different authentication methods for different groups of users by
“globbing. You can configure a rule either for wireless access to an SSID, or for wired
access through a switch’s wired authentication port. If the rule is for wireless access
to an SSID, specify the SSID name or specify any to match on all SSID names. If the
rule is for wired access, specify wired instead of an SSID name.