Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

351

352

353

354

355

356

357

358

359

360

AAA Tools for Network Users

RoamAbout Mobility System Software Configuration Guide 17-9

AAA Rollover Process

ARoamAboutSwitchattemptsAAAmethodsintheorderinwhichtheyareenteredinthe

configuration:

1. ThefirstAAAmethodinthelistisusedunless thatmethodresultsinanerror.Ifthemethod

resultsinapassorfail,theresultisfinalandtheRoamAboutSwitchtries

noothermethods.

2. IftheRoamAboutSwitchreceivesnoresponsefromthefirstAAAmethod,ittriesthesecond

methodinthelist.

3. IftheRoamA boutSwitchreceivesnoresponsefromthesecondAAAmethod,ittriesthethird

method.Thisevaluationprocessisappliedtoallmethodsinthelist.

Local Override Exception

Theoneexceptiontotheoperationdescribedin“AAARolloverProcess”(page 17‐9)takesplaceif

thelocaldatabaseisthefirstmethodinthelistandisfollowedbyaRADIUSservergroupmethod.

Ifthelocalmethodfailstofindamatchingusernameentryinthelocaldatabase,

theRoamAbout

SwitchtriesthenextRADIUS servergroupmethod.Thisexceptionisreferredtoaslocaloverride.

Ifthelocaldatabaseisthelastmethodinthelist,however,localauthenticationmusteitheraccept

ordenytheuser,becauseithasnoothermethodtorolloverto.

Remote Authentication with Local Backup

Youcanuseacombinationofauthenticationmethods;forexample,PEAPoffloadandlocal

authentication.WhenPEAPoffloadisconfigured,theRoamAboutSwitchoffloadsallEAP

processingfromservergroups;theRADIUSserversarenotrequiredtocommunicateusingthe

EAPprotocols.(Fordetails,see“ConfiguringEAPOffload”onpage 17

‐14.)Intheeventthat

RADIUSserversareunavailable,localauthenticationtakesplace,usingthedatabaseonthe

RoamAboutSwitch.

Example

SupposeanadministratorwantstorelyonRADIUSserversandalsowantstoensurethatacertain

groupofusersalwaysgetsaccess.Asshowninthefollowingexample,theadministratorenable

PEAPoffload,sothatauthenticationisperformedbyaRADIUSservergroupasthefirstmethod

fortheseusers,

andconfigurelocalauthenticationlast,incasetheRADIUSserversare

unavailable.(SeeFigure 17‐2onpage 17‐10.)

1. Toconfigureserver‐1andserver‐2atIPaddresses192.168.253.1and192.168.253.2withthe

passwordchey3nn3,theadministratorentersthefollowingcommands:

RBT-8100# set radius server server-1 address 192.168.253.1 key chey3nn3

RBT-8100# set radius server server-2 address 192.168.253.2 key chey3nn3

2. Toconfigureserver‐1andserver‐2intoserver‐group‐1,theadministratorentersthefollowing

command:

RBT-8100# set server group server-group-1 members server-1 server-2

Note: If a AAA rule specifies local as a secondary AAA method, to be used if the RADIUS servers

are unavailable, and MSS authenticates a client with the local method, MSS starts again at the

beginning of the method list when attempting to authorize the client. This can cause unexpected

delays during client processing and can cause the client to time out before completing logon.