beautypg.com

Overriding aaa-assigned vlans – 3Com WX4400 3CRWX440095A User Manual

Page 516

background image

516

C

HAPTER

21: C

ONFIGURING

AAA

FOR

N

ETWORK

U

SERS

Combining EAP

Offload with

Pass-Through

Authentication

The following example illustrates how to enable PEAP-MS-CHAP-V2
offload for the marketing (mktg) group and RADIUS pass-through
authentication for members of engineering. This example assumes that
engineering members are using DNS-style naming, such as is used with
EAP-TLS. A WX server certificate is also required.

1 Configure the RADIUS server r1 at IP address 10.1.1.1 with the string

starry for the key. Type the following command:

WX1200# set radius server r1 address 10.1.1.1 key starry

2 Configure the server group sg1 with member r1. Type the following

command:

WX1200# set server group sg1 members r1

3 To authenticate all 802.1X users of SSID bobblehead in the group mktg

using PEAP on the WX switch and MS-CHAP-V2 on server sg1, type the
following command:

WX1200# set authentication dot1x ssid bobblehead mktg\* peap-mschapv2 sg1

4 To authenticate all 802.1X users of SSID aircorp in @eng.example.com via

pass-through to sg1, type the following command:

WX1200# set authentication dot1x ssid aircorp *@eng.example.com pass-through sg1

5 Save the configuration:

WX1200# save config
success: configuration saved.

Overriding

AAA-Assigned VLANs

The following example shows how to change the VLAN access of wireless
users in an organization housed in multiple buildings.

Suppose the wireless users on the faculty of a college English department
have offices in building A and are authorized to use that building’s
bldga-prof- VLANs. These users also teach classes in building B. Because
you do not want to tunnel these users back to building A from building B
when they use their wireless laptops in class, you configure the location
policy on the WX switch to redirect them to the bldgb-eng VLAN.

You also want to allow writing instructors normally authorized to use any
-techcomm VLAN in the college to access the network through the
bldgb-eng VLAN when they are in building B.

See also other documents in the category 3Com Computer Accessories: