Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

381

382

383

384

385

386

387

388

389

390

Configuring AAA for Users of Third-Party APs

RoamAbout Mobility System Software Configuration Guide 17-37

Configuring AAA for Users of Third-Party APs

ARoamAboutSwitchcanprovidenetworkaccessforusersassociatedwithathird‐partyAPthat

hasauthenticatedtheuserswithRADIUS.Youcanconnectathird‐partyAPtoaRoamAbout

SwitchandconfiguretheRoamAboutSwitchtoprovideauthorizationforclientswho

authenticateandaccessthenetworkthroughthe

AP.Figure 17‐3showsanexample.

Figure 17-3 RoamAbout Switch Serving as RADIUS Proxy

1. MSSusesMACauthenticationtoauthenticatetheAP.

2. TheusercontactstheAPandnegotiatestheauthenticationprotocoltobeused.

3. TheAP,actingasaRADIUSclient,sendsaRADIUSaccess‐requesttothe RoamAboutSwitch.

Theaccess‐requestincludestheSSID,theuser’s

MACaddress,andtheusername.

4. For802.1Xusers,theAPuses802.1Xtoauthenticatetheuser,usingtheRoamAboutSwitchas

itsRADIUSserver.TheRoamAboutSwitchproxiesRADIUSrequestsfromtheAPtoareal

RADIUSserver,dependingontheauthenticationmethodspecifiedintheproxy

authenticationruleforthe

user.

•Fornon‐802.1Xusers,theAPdoesnotuse802.1X.TheRoamAboutSwitchsendsa

RADIUSqueryforthespecialusernameweb‐portal‐ssidorlast‐resort‐ssid,wheressidis

theSSIDname.Thefallthruauthenticationtype(web‐portalorlast‐resort)specifiedfor

thewiredauthentication

portconnectedtotheAPdetermineswhichusernameisused.

•ForanyusersofanAPthatsendsSSIDtraffictotheRoamAboutSwitchonanuntagged

VLAN,theRoamAboutSwitchdoesnotuse802.1X.TheRoamAboutSwitchsendsa

RADIUSqueryforthespecialusernameweb‐portal‐wiredorlast‐

resort‐wired,

dependingonthefallthruauthenticationtype specifiedforthewiredauthenticationport.

5. AftersuccessfulRADIUSauthentication oftheuser(orspecialusername,fornon‐802.1X

users),MSSassignsauthorizationattributestotheuserfromtheRADIUSserver’saccess‐

acceptresponse.

6. Whentheuser’ssessionends,thethird‐partyAP

sendsaRADIUSstop‐accountingrecordto

theRoamAboutSwitch.TheRoamAboutSwitchthenremovesthesession.

RoamAbout switch

Wired Layer 2

connection

RADIUS server

Layer 2

or Layer 3