Operation Manual

AAA Commands

9 – 169

specify any to match on all SSID names. If the rule is for wired access, specify wired instead of an

SSID name.

You cannot configure client authentication that uses both EAP-TLS protocol and one or more

RADIUS servers. EAP-TLS authentication is supported only on the local MX database.

If you specify multiple authentication methods in the set authentication dot1x command, MSS

applies them in the order in which they appear in the command, with these results:

● If the first method responds with pass or fail, the evaluation is final.

● If the first method does not respond, MSS tries the second method, and so on.

● However, if local appears first, followed by a RADIUS server group, MSS overrides any failed

searches in the local MX database and sends an authentication request to the server group.

If the user does not support 802.1X, MSS attempts to perform MAC authentication for the user. In

this case, if the MX configuration contains a set authentication mac command that matches the

SSID the user is attempting to access and the user MAC address, MSS uses the method specified

by the command. Otherwise, MSS uses local MAC authentication by default.

If the username does not match an authentication rule for the SSID the user is attempting to

access, MSS uses the fallthru authentication type configured for the SSID, which can be

last-resort, web-portal (for WebAAA), or none. The following command configures EAP-TLS

authentication in the local MX database for SSID mycorp and 802.1X client Geetha:

MX# set authentication dot1x ssid mycorp Geetha eap-tls local

success: change accepted.

The following command configures PEAP-MS-CHAP-V2 authentication at RADIUS server groups

sg1 through sg3 for all 802.1X clients at example.com who want to access SSID examplecorp:

MX# set authentication dot1x ssid examplecorp *@example.com peap-mschapv2 sg1 sg2 sg3

success: change accepted.