Remote authentication with local backup – 3Com WX4400 3CRWX440095A User Manual

444

C

HAPTER

21: C

ONFIGURING

AAA

FOR

N

ETWORK

U

SERS

Remote Authentication with Local Backup

You can use a combination of authentication methods; for example,
PEAP offload and local authentication. When PEAP offload is configured,
the WX switch offloads all EAP processing from server groups; the
RADIUS servers are not required to communicate using the EAP
protocols. (For details, see “Configuring EAP Offload” on page 449.) In
the event that RADIUS servers are unavailable, local authentication takes
place, using the database on the WX switch.

Suppose an administrator wants to rely on RADIUS servers and also wants
to ensure that a certain group of users always gets access. As shown in
the following example, the administrator can enable PEAP offload, so
that authentication is performed by a RADIUS server group as the first
method for these users, and configure local authentication last, in case
the RADIUS servers are unavailable. (See Figure 31.)

1 To configure server-1 and server-2 at IP addresses 192.168.253.1 and

192.168.253.2 with the password chey3nn3, the administrator enters
the following commands:

WX1200# set radius server server-1 address 192.168.253.1 key chey3nn3
WX1200# set radius server server-2 address 192.168.253.2 key chey3nn3

2 To configure server-1 and server-2 into server-group-1, the administrator

enters the following command:

WX1200# set server group server-group-1 members server-1 server-2

3 To enable PEAP offload plus local authentication for all users of SSID

mycorp at @example.com, the administrator enters the following
command.

WX1200# set authentication dot1x ssid mycorp *@example.com pass-through
server-group-1 local