444Configuring AAA for Network Users

Configuring Authentication for 802.1X Users of a Third-Party AP

To configure WSS Software to authenticate 802.1X users of a third-party AP, use the commands below to do the following:

Configure the port connected to the AP as a wired authentication port. Use the following command:

set port type wired-auth port-list[tag tag-list][max-sessions num] [auth-fall-thru {last-resort none web-portal}]

Configure a MAC authentication rule for the AP. Use the following command:

set authentication mac wired mac-addr-wildcard method1

Configure the WSS port connected to the AP as a RADIUS proxy for the SSID supported by the AP. If SSID traffic from the AP is tagged, assign the same tag value to the WSS port. Use the following command:

set radius proxy port port-list[tag tag-value]ssid ssid-name

Add a RADIUS proxy entry for the AP. The proxy entry specifies the IP address of the AP and the UDP port on which the WSS switch listens for RADIUS traffic from the AP. Use the following command:

set radius proxy client address ip-address[port udp-port-number]key

string

Configure a proxy authentication rule for the AP’s users. Use the following command:

set authentication proxy ssid ssid-name user-wildcard radius-server-group

For the port-listof the set port type wired-auth and set radius proxy port commands, specify the WSS port(s) connected to the third-party AP.

For the ip-addressof the set radius proxy client address command, specify the IP address of the RADIUS client (the third-party AP). For the udp-port-number, specify the UDP port on which the WSS switch will listen for RADIUS traffic. The default is UDP port 1812.

The following command configures WSS ports 3 and 4 as wired authentication ports, and assigns tag value

104 to the ports:

23x0# set port type wired-auth 3-4 tag 104

success: change accepted.

You can specify multiple tag values. Specify the tag value for each SSID you plan to support.

The following command configures a MAC authentication rule that matches on the third-party AP’s MAC address. Because the AP is connected to the WSS switch on a wired authentication port, the wired option is used.

23x0# set authentication mac wired aa:bb:cc:01:01:01 srvrgrp1

success: change accepted.

The following command maps SSID mycorp to packets received on port 3 or 4, using 802.1Q tag value 104:

23x0# set radius proxy port 3-4 tag 104 ssid mycorp

success: change accepted.

320657-A

Page 444
Image 444
Nortel Networks 2300 manual Set authentication mac wired mac-addr-wildcard method1, 23x0# set port type wired-auth 3-4 tag