D-Link DWS-1008 User Manual
8
Configuring 802.1X Authentication
The IEEE 802.1X standard is a framework for passing EAP protocols over a wired or wireless LAN.
Within this framework, you can use TLS, PEAP-TTLS, or EAP-MD5. Most EAP protocols can be passed
through the switch to the RADIUS server. Some protocols can be processed locally on the switch.
The following 802.1X authentication command allows differing authentication treatments for multiple
users:
set authentication dot1x {ssid
ssid-name
| wired}
user-glob
[bonded]
protocol method1
[
method2
] [
method3
] [
method4
]
For example, the following command authenticates wireless user
Tamara
, when requesting SSID
wetlands
, as an 802.1X user using the PEAP-MS-CHAP-V2 method via the server group
shorebirds
,
which contains one or more RADIUS servers:
DWS-1008#
set authentication dot1x ssid wetlands Tamara peap-mschapv2 shorebirds
When a user attempts to connect through 802.1X, the following events occur:
1. For each 802.1X login attempt, MSS examines each command in the configuration file in
strict configuration order.
2. The first command whose SSID and user glob matches the SSID and incoming username
is used to process this authentication. The command determines exactly how this particular
login attempt is processed by the switch.
(For more information about user globs, see “User Globs” on page 9.)
Configuring EAP Offload
You can configure the switch to offload all EAP processing from server groups. In this case, the RADIUS
server is not required to communicate using the EAP protocols.
For PEAP-MS-CHAP-V2 offload, you define a complete user profile in the local database and only a
username and password on a RADIUS server.
For example, the following command authenticates all wireless users who request SSID marshes at
example.com by offloading PEAP processing onto the switch, while still performing MS-CHAP-V2
authentication via the server group shorebirds:
DWS-1008#
set authentication dot1x ssid marshes *@example.com peap-mschapv2
shorebirds
To offload both PEAP and MS-CHAP-V2 processing onto the switch, use the following command:
DWS-1008#
set authentication dot1x ssid marshes *@example.com peap-mschapv2 local
Содержание DWS-1008
Страница 1: ......