214CHAPTER 9: AAA AND RADIUS OPERATION

All the supplicants belong to the default domain 3com163.net, which can contain up to 30 users. RADIUS authentication is performed first. If there is no response from the RADIUS server, local authentication will be performed. For accounting, if the RADIUS server fails to account, the user will be disconnected. In addition, when the user is connected, the domain name does not follow the user name. Normally, if the user’s traffic is less than 2kbps, consistently, over a period of 20 minutes, they will be disconnected.

A server group, consisting of two RADIUS servers at 10.11.1.1 and 10.11.1.2, is connected to the switch. The former one acts as the primary-authentication/second-accounting server. The latter one acts as the secondary-authentication/primary-accounting server. Set the encryption key as “name” when the system exchanges packets with the authentication RADIUS server, and “money” when the system exchanges packets with the accounting RADIUS server. Configure the system to retransmit packets to the RADIUS server if no response is received in 5 seconds. Retransmit the packet no more than 5 times in all. Configure the system to transmit a real-time accounting packet to the RADIUS server every 15 minutes. The system is instructed to transmit the user name to the RADIUS server after removing the user domain name.

The user name of the local 802.1x access user is localuser and the password is localpass (input in plain text). The idle cut function is enabled.

Figure 56 Enabling 802.1x and RADIUS to Perform AAA on the Requester

Authentication servers (RADIUS server cluster IP address: 10.11.1.1, 10.11.1.2)

Switch

E1/0/2

Internet

Requestor

Authenticator

The following examples concern most of the AAA/RADIUS configuration commands. The configurations for accessing user workstation and the RADIUS server are omitted.

1Enable the 802.1x performance on the specified port Ethernet 1/0/2.

[SW7750]dot1x interface ethernet 1/0/2

2Set the access control mode. (This command could not be configured, when it is configured as MAC-based by default.)

[SW7750]dot1x port-method macbased interface ethernet 1/0/2

3Create the RADIUS group radius1 and enter its configuration mode.

[SW7750]radius scheme radius1

4Set the IP address of the primary authentication/accounting RADIUS servers.

Page 214
Image 214
3Com 10014298 manual SW7750dot1x interface ethernet 1/0/2, SW7750dot1x port-method macbased interface ethernet 1/0/2