Specifications
Configuring AAA for Users of Third-Party APs
17-38 Configuring AAA for Network Users
Requirements
Third-Party AP Requirements
•Thethird‐partyAPmustbeconnectedtotheRoamAboutSwitchthroughawiredLayer2
link.MSScannotprovidedataservicesiftheAPandR oamAboutSwitchareindifferentLayer
3subnets.
•TheAPmustbeconfiguredastheRoamAboutSwitch’sRADIUSclient.
•TheAPmustbeconfiguredsothat
alltrafficforagivenSSIDismappedtothesame802.1Q
taggedVLAN.IftheAPhasmultipleSSIDs,eachSSIDmustuseadifferenttagvalue.
•TheAPmustbeconfiguredtosendthefollowinginformationinaRADIUSaccess‐request,for
eachuserwhowantstoconnectto
theWLANthroughtheRoamAboutSwitch:
–SSIDrequestedbytheuser.TheSSIDcanbeattachedtotheendofthecalled‐station‐id
(perCongdon),orcanbeinaVSA(forexample,cisco‐vsa:ssid=r12‐cisco‐1).
–Calling‐station‐idthatincludesthe user’sMACaddress.TheMACaddresscan
beinany
ofthefollowingformats:
‐ Separatedbycolons(forexample,AA:BB:CC:DD:EE:FF)
‐ Separatedbydashes(forexample,AA‐BB‐CC‐DD‐EE‐FF)
‐ Separatedbydots(forexample,AABB.CCDD.EEFF)
– Username
•TheAPmustbeconfiguredtosendaRADIUSstop‐accountingrecordwhenauser’ssession
ends.
RoamAbout Switch Requirements
•TheRoamAboutSwitchportconnectedtothethird‐partyAPmustbeconfiguredasawired
authenticationport.IfSSIDtrafficfromtheAPistagged,thesameVLANtagvaluemustbe
usedonthewiredauthenticationport.
•AMACauthenticationrulemustbeconfiguredtoauthenticatetheAP.
•TheRoamAbout
SwitchmustbeconfiguredasaRADIUSproxyfortheAP.TheRoamAbout
SwitchisaRADIUSservertotheAPbutremainsaRADIUSclienttotherealRADIUSservers.
•AnauthenticationproxyrulemustbeconfiguredfortheAP’susers.Therulematchesbased
onSSIDandusername,and
selectstheauthenticationmethod(aRADIUSservergroup)for
proxying.
Note: The RoamAbout Switch system IP address must be the same as the IP address configured on
the VLAN that contains the proxy port.