291
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
Requirements
Third-Party AP Requirements
•
The third-party AP must be connected to the switch through a wired Layer 2 link.
MSS cannot provide data services if the AP and switch are in different Layer 3
subnets.
•
The AP must be configured as the switch’s RADIUS client.
•
The AP must be configured so that all traffic for a given SSID is mapped to the same
802.1Q tagged VLAN. If the AP has multiple SSIDs, each SSID must use a different
tag value.
•
The AP must be configured to send the following information in a RADIUS access-
request, for each user who wants to connect to the WLAN through the switch:
•
SSID requested by the user. The SSID can be attached to the end of the called-
station-id (per Congdon), or can be in a VSA (for example,
cisco-vsa:ssid=r12-cisco-1
).
•
Calling-station-id that includes the user’s MAC address. The MAC address can be in
any of the following formats:
❍
Separated by colons (for example, AA:BB:CC:DD:EE:FF)
❍
Separated by dashes (for example, AA-BB-CC-DD-EE-FF)
❍
Separated by dots (for example, AABB.CCDD.EEFF)
•
Username
•
The AP must be configured to send a RADIUS stop-accounting record when a user’s
session ends.
Switch Requirements
•
The switch port connected to the third-party AP must be configured as a wired
authentication port. If SSID traffic from the AP is tagged, the same VLAN tag value
must be used on the wired authentication port.
•
A MAC authentication rule must be configured to authenticate the AP.
•
The switch must be configured as a RADIUS proxy for the AP. The switch is a
RADIUS server to the AP but remains a RADIUS client to the real RADIUS servers.
•
An authentication proxy rule must be configured for the AP’s users. The rule matches
based on SSID and username, and selects the authentication method (a RADIUS
server group) for proxying.
RADIUS Server Requirements
•
For 802.1X users, the usernames and passwords must be configured on the RADIUS
server.
•
For non-802.1X users of a tagged SSID, the special username
web-portal-
ssid
or
last-resort-
ssid
must be configured, where
ssid
is the SSID name. The fallthru
authentication type (
web-portal
or
last-resort
) specified for the wired authentication
port connected to the AP determines which username you need to configure.
•
For any users of an untagged SSID, the special username
web-portal-wired
or
last-resort-wired
must be configured, depending on the fallthru authentication type
specified for the wired authentication port.
Summary of Contents for DWS-1008
Page 1: ......