277
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
Local Override Exception
The one exception to the operation described in AAA Rollover Process takes place if the local
database is the
first
method in the list and is followed by a RADIUS server group method. If
the local method fails to find a matching username entry in the local database, the switch tries
the next RADIUS server group method. This exception is referred to as
local override
.
If the local database is the
last
method in the list, however, local authentication must either
accept or deny the user, because it has no other method to roll over to.
Remote Authentication with Local Backup
You can use a combination of authentication methods. In pass-through authentication, AAA
processing is passed through the switch and performed remotely by RADIUS servers. If
RADIUS servers are unavailable, local authentication can take place on the switch.
Suppose an administrator wants to rely on RADIUS servers and also wants to ensure
that a certain group of users always gets access. As shown in the following example, the
administrator can configure pass-through authentication by a RADIUS server group as the
first method for these users and configure local authentication last, in case the RADIUS
servers are unavailable.
1.
To configure
server-1
and
server-2
at IP addresses 192.168.253.1 and
192.168.253.2 with the password
chey3nn3
, the administrator enters the following
commands:
DWS-1008#
set radius server server-1 address 192.168.253.1 key chey3nn3
DWS-1008#
set radius server server-2 address 192.168.253.2 key chey3nn3
2.
To configure
server-1
and
server-2
into
server-group-1
, the administrator enters the
following command:
DWS-1008#
set server group server-group-1 members server-1 server-2
3.
To enable pass-through plus local authentication for all users of SSID
mycorp
at
@example.com, the administrator enters the following command.
DWS-1008#
set authentication dot1x ssid mycorp *@example.com pass-
through server-group-1 local
Authentication proceeds as follows:
1.
When user [email protected] attempts authentication, the switch sends an
authentication request to the first AAA method, which is
server-group-1.
Because
server-group-1
contains two servers, the first RADIUS server,
server-1
, is
contacted. If this server responds, the authentication proceeds using
server-1
.
2.
If
server-1
fails to respond, the switch retries the authentication using
server-2
. If
server-2
responds, the authentication proceeds using
server-2
.