beautypg.com

Radius offload for 802.1x users, Network requirements, Configuration procedure – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 105

background image

91

connection information. Executing the display interface wlan-dbss command, you can see the

WLAN-DBSS access port has been added to VLAN 100.

RADIUS offload for 802.1X users

Network requirements

As shown in

Figure 47

, configure the AC to cooperate with the RADIUS server for RADIUS authentication,

authorization, and accounting of 802.1X users.

The RADIUS server does not support EAP authentication.

Configure PEAP-MSCHAPv2 authentication between the 802.1X client and the AC.

Configure the AC and the RADIUS server to use the shared key expert to authenticate
authentication and accounting packets exchanged between them.

Figure 47 Network diagram

Configuration procedure

NOTE:

If the host runs the 802.1X client of Windows XP, the network properties of the connection must be
configured as follows: In the Authentication tab, select Enable IEEE 802.1x authentication for this

network and then select Protected EAP (PEAP) as the EAP authentication type and EAP MSCHAP v2 as

the authentication method.

If the host runs the iNode 802.1X client, the advanced authentication option of certificate authentication
must be selected.

On the RADIUS server, configure the shared key for authenticating packets exchanged with the AC to
expert, and add a username and password for the 802.1X user. (Details not shown.)

1.

Obtain the CA certificate and local certificate

If the CA certificate file and local certificate file are already saved on the AC, import the certificates in

offline mode. Otherwise, you must request a local certificate for the AC and obtain the CA certificate in

online mode. Suppose that the PKI domain is eappki. For more information about the configuration steps,

see "Configuring PKI."

2.

Configure the SSL server policy

# Create SSL server policy eapsvr, and configure it to use PKI domain eappki.

system-view

[AC] ssl server-policy eapsvr

[AC-ssl-server-policy-eapsvr] pki-domain eappki