38CHAPTER 2: PLANNING AND MANAGING YOUR WIRELESS NETWORK WITH 3WXM

If services are being used for customer corporate entities (e.g. different airlines on an airport wireless net), then they would probably use 802.1X and strong encryption with web guest access for their airport club guests. If the services are being used to advertise multiple wireless service providers (WISP), such as T-MobileTM, Wayport ®, and Boingo WirelessTM, then these services would probably be completely open. However, they would likely be assigned to their own dedicated subnet containing their proxy server/billing gateway.

AAASecurity An administrator can control the way in which users access the network. Configuration For each service you provide, you can configure unique authentication,

authorization, and accounting (AAA) security features, creating an entirely virtualized wireless service. For each service, you configure:

„Multiple authentication choices (802.1X, Web, AAA, MAC authentication, Bonded Auth, open)

„AAA methods (up to four RADIUS server groups, or a local database on the WX switch)

Authentication

Authentication is the method of determining whether a user is allowed access to your network. Users can be authenticated by a RADIUS server (pass-through) or by the WX switch local database (local). The WX switch can also assist the RADIUS server by performing the Extensible Authentication Protocol (EAP) processing for the server (offload).

To authenticate users, you will need to configure users either in the local database or on RADIUS servers. Each user will have a username, password, and RADIUS and/or vendor-specific attributes (VSAs). You will also need to configure authentication rules (802.1X, MAC, last-resort, or web authentication).

See Figure 8 on page 39 to see a flowchart representing the authentication process. Generally, 802.1X authentication is attempted first. If the user fails, then MAC authentication is attempted. If this fails, then last resort and web authentication is used. For a service profile, you specify either web authentication, last-resort, or none in the auth-fall-thru box. You can only select one.

Page 38
Image 38
3Com CRWXR10095A, 3CRWX440095A, 3CRWX120695A manual Authentication