416Configuring AAA for Network Users

Ways an WSS Switch Can Use EAP

Network users with 802.1X support cannot access the network unless they are authenticated. You can configure an WSS switch to authenticate users with EAP on a group of RADIUS servers and/or in a local user database on the WSS, or to offload some authentication tasks from the server group. Table 29 on page 416 details these three basic WSS authentica- tion approaches.

(For information about digital certificates, see “Managing Keys and Certificates,” on page 379.)

Table 29: Three Basic WSS Approaches to EAP Authentication

Approach

Description

 

 

Pass-

An EAP session is established directly between the client and RADIUS server, passing

through

through the WSS switch. User information resides on the server. All authentication

 

information and certificate exchanges pass through the switch or use client certificates issued

 

by a certificate authority (CA). In this case, the switch does not need a digital certificate,

 

although the client might.

 

 

Local

The WSS switch performs all authentication using information in a local user database

 

configured on the switch, or using a client-supplied certificate. No RADIUS servers are

 

required. In this case, the switch needs a digital certificate. If you plan to use the EAP with

 

Transport Layer Security (EAP-TLS) authentication protocol, the clients also need

 

certificates.

 

 

Offload

The WSS switch offloads all EAP processing from a RADIUS server by establishing a TLS

 

session between the switch and the client. In this case, the switch needs a digital certificate. If

 

you plan to use the EAP-TLS authentication protocol, the clients also need certificates. When

 

you use offload, RADIUS can still be used for non-EAP authentication and authorization.

 

 

320657-A

Page 416
Image 416
Nortel Networks 2300 manual Ways an WSS Switch Can Use EAP