D-Link DWS-1008 User Manual
AAA Rollover Process
A DWS-1008 switch attempts AAA methods in the order in which they are entered in the configuration:
1. The first AAA method in the list is used unless that method results in an error. If the method
results in a pass or fail, the result is final and the switch tries no other methods.
2. If the switch receives no response from the first AAA method, it tries the second method in
the list.
3. If the switch receives no response from the second AAA method, it tries the third method.
This evaluation process is applied to all methods in the list.
Note: If a AAA rule specifies local as a secondary AAA method, to be used if the RADIUS servers are
unavailable, and MSS authenticates a client with the local method, MSS starts again at the beginning of
the method list when attempting to authorize the client. This can cause unexpected delays during client
processing and can cause the client to time out before completing logon.
Local Override Exception
The one exception to the operation described in “AAA Rollover Process” takes place if the local database
is the first method in the list and is followed by a RADIUS server group method. If the local method fails
to find a matching username entry in the local database, the switch tries the next RADIUS server group
method. This exception is referred to as local override.
If the local database is the last method in the list, however, local authentication must either accept or
deny the user, because it has no other method to roll over to.
Remote Authentication with Local Backup
You can use a combination of authentication methods; for example, PEAP offload and local authentication.
When PEAP offload is configured, the switch offloads all EAP processing from server groups; the
RADIUS servers are not required to communicate using the EAP protocols. In the event that RADIUS
servers are unavailable, local authentication takes place, using the database on the switch.
Suppose an administrator wants to rely on RADIUS servers and also wants to ensure that a certain
group of users always gets access. As shown in the following example, the administrator can enable
PEAP offload, so that authentication is performed by a RADIUS server group as the first method for
these users, and configure local authentication last, in case the RADIUS servers are unavailable.
1. To configure server-1 and server-2 at IP addresses 192.168.253.1 and 192.168.253.2 with
the password
chey3nn3
, the administrator enters the following commands:
DWS-1008#
set radius server server-1 address 192.168.253.1 key chey3nn3
DWS-1008#
set radius server server-2 address 192.168.253.2 key chey3nn3
Содержание DWS-1008
Страница 1: ......