Operation Manual

ManualsBrandsTrapeze smart mobile ManualsSoftwareMobility System Software 7.3

161

162

163

164

165

166

167

168

169

170

AAA Commands

Mobility System Software Command Reference Guide

Version 7.3

9 – 168

Defaults

By default, authentication is unconfigured for all clients with network access through

MP ports or wired authentication ports on the MX. Connection, authorization, and accounting are

also disabled for these users.

Bonded authentication is disabled by default.

Access

Enabled.

History

Usage

You can configure different authentication methods for different groups of users by

“globbing.” (For details, see “User Globs” on page 2–7.)

You can configure a rule either for wireless access to an SSID, or for wired access through an MX

wired authentication port. If the rule is for wireless access to an SSID, specify the SSID name or

protocol Protocol used for authentication. Specify one of the following:

❑ eap-md5—Extensible Authentication Protocol (EAP) with

message-digest algorithm 5. For wired authentication clients:

• Uses challenge-response to compare hashes

• Provides no encryption or integrity checking for the connection

Note: The eap-md5 option does not work with Microsoft wired

authentication clients.

❑ eap-tls—EAP with Transport Layer Security (TLS):

• Provides mutual authentication, integrity-protected

negotiation, and key exchange

• Requires X.509 public key certificates on both sides of the

connection

• Provides encryption and integrity checking for the connection

• Cannot be used with RADIUS server authentication (requires

user information to be in the MX local database)

❑ peap-mschapv2—Protected EAP (PEAP) with Microsoft

Challenge Handshake Authentication Protocol version 2

(MS-CHAP-V2). For wireless clients:

• Uses TLS for encryption and data integrity checking and

server-side authentication.

• Provides MS-CHAP-V2 mutual authentication.

• Only the server side of the connection needs a certificate.

The wireless client authenticates using TLS to set up an

encrypted session. Then MS-CHAP-V2 performs mutual

authentication using the specified AAA method.

❑ pass-through—MSS sends all the EAP protocol processing to a

RADIUS server.

method1

method2

method3

method4

At least one and up to four methods that MSS uses to handle

authentication. Specify one or more of the following methods in

priority order. MSS applies multiple methods in the order you enter

them.

A method can be one of the following:

❑ local—Uses the local database of usernames and user groups on

the MX switch for authentication.

❑ server-group-name—Uses the defined group of RADIUS servers

for authentication. You can enter up to four names of existing

RADIUS server groups as methods.

RADIUS servers cannot be used with the EAP-TLS protocol.

For more information, see “Usage.”

Version 1.0 Command introduced

Version 2.1 bonded option added for bonded authentication

Version 3.0 ssid ssid-name and wired options added