Hub/Switch Reference Guide
198 AAA Commands
NN47250-100 (Version 02.51)
Defaults
By default, authentication is unconfigured for all clients with network access through
AP ports or wired authentication ports on the WSS. Connection, authorization, and accounting are
also disabled for these users.
Bonded authentication is disabled by default.
Access
Enabled.
Usage
You can configure different authentication methods for different groups of users by
“wildcarding.” (For details, see “User Wildcards” on page 12.)
You can configure a rule either for wireless access to an SSID, or for wired access through a WSS’s wired
authentication port. If the rule is for wireless access to an SSID, specify the SSID name or specify any to
match on all SSID names. If the rule is for wired access, specify wired instead of an SSID name.
You cannot configure client authentication that uses both the EAP-TLS protocol and one or more RADIUS
servers. EAP-TLS authentication is supported only on the local WSS database.
If you specify multiple authentication methods in the set authentication dot1x command, WSS Software
applies them in the order in which they appear in the command, with these results:
• If the first method responds with pass or fail, the evaluation is final.
• If the first method does not respond, WSS Software tries the second method, and so on.
•However, if local appears first, followed by a RADIUS server group, WSS Software overrides any failed
searches in the local WSS database and sends an authentication request to the server group.
If the user does not support 802.1X, WSS Software attempts to perform MAC authentication for the user. In
this case, if the switch’s configuration contains a set authentication mac command that matches the SSID the
user is attempting to access and the user’s MAC address, WSS Software uses the method specified by the
command. Otherwise, WSS Software uses local MAC authentication by default.
If the username does not match an authentication rule for the SSID the user is attempting to access, WSS
Software uses the fallthru authentication type configured for the SSID, which can be last-resort, web-portal
(for Web-based AAA), or none.
Examples
The following command configures EAP-TLS authentication in the local WSS
database for SSID mycorp and 802.1X client Geetha:
WSS# set authentication dot1x ssid mycorp Geetha eap-tls local
success: change accepted.
The following command configures PEAP-MS-CHAP-V2 authentication at RADIUS server groups sg1
through sg3 for all 802.1X clients at example.com who want to access SSID examplecorp:
WSS# set authentication dot1x ssid examplecorp *@example.com peap-mschapv2
sg1 sg2 sg3
success: change accepted.
See Also
• clear authentication dot1x on page 169
• set authentication admin on page 182
• set authentication console on page 183
• set authentication mac on page 189
• set authentication web on page 191