Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

411

412

413

414

415

416

417

418

419

420

Network User Configuration Scenarios

17-68 Configuring AAA for Network Users

Combining EAP Offload with Pass-Through Authentication

ThefollowingexampleillustrateshowtoenablePEAP‐MS‐CHAP‐V2offloadforthemarketing

(mktg)groupandRADIUSpass‐throughauthenticationformembersofengineering.Thisexample

assumesthatengineeringmembersareusingDNS‐stylenam ing,suchasisusedwithEAP‐TLS.A

RoamAboutswitchservercertificateis

alsorequired.

1. ConfiguretheRADIUSserverr1atIPaddress10.1.1.1withthestringstarryforthekey.Type

thefollowingcommand:

RBT-8100# set radius server r1 address 10.1.1.1 key starry

2. Configuretheservergroupsg1withmemberr1.Typethefollowingcommand:

RBT-8100# set server group sg1 members r1

3. Toauthenticateall802.1XusersofSSIDbobbleheadinthegroupmktgusingPEAPonthe

RoamAboutSwitchandMS‐CHAP‐V2onserversg1,typethefollowingcommand:

RBT-8100# set authentication dot1x ssid bobblehead mktg\* peap-mschapv2 sg1

4. Toauthenticateall802.1XusersofSSIDaircorpin@eng.example.comviapass‐throughtosg1,

typethefollowingcommand:

RBT-8100# set authentication dot1x ssid aircorp *@eng.example.com pass-

through sg1

5. Savetheconfiguration:

RBT-8100 save config

success: configuration saved.

Overriding AAA-Assigned VLANs

ThefollowingexampleshowshowtochangetheVLANaccessofwirelessusersinan

organizationhousedinmultiplebuildings.

SupposethewirelessusersonthefacultyofacollegeEnglishdepartmenthaveofficesin

building Aand areauthorizedtousethatbuilding’sbldga‐prof‐VLANs.Theseusersalsoteach

classes

inbuilding B.Becauseyoudonotwanttotunneltheseusersbacktobuilding Afrom

building Bwhentheyusetheirwirelesslaptopsinclass,youconfigurethelocationpolicyonthe

RoamAboutSwitchtoredirectthemtothebldgb‐engVLAN.

Youalsowanttoallowwritinginstructorsnormallyauthorized

touseany‐techcommVLANinthe

collegetoaccessthenetworkthroughthebldgb‐engVLANwhentheyareinbuilding B.

1. Redirectbldga‐prof‐VLANuserstotheVLANbldgb‐eng:

RBT-8100# set location policy permit vlan bldgb-eng if vlan eq bldga-prof-*

2. Allowwritinginstructorsfrom‐techcommVLANstousethebldgb‐engVLAN:

RBT-8100# set location policy permit vlan bldgb-eng if vlan eq *-techcomm

3. Displaytheconfiguration:

RBT-8100# show location policy

Id Clauses

-----------------------------------------------------

1) permit vlan bldgb-teach if vlan eq bldga-prof-*

2) permit vlan bldgb-eng if vlan eq *-techcomm

4. Savetheconfiguration:

RBT-8100 save config

success: configuration saved.