293
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
The following command configures a MAC authentication rule that matches on the third-party
AP’s MAC address. Because the AP is connected to the switch on a wired authentication
port, the
wired
option is used.
DWS-1008#
set authentication mac wired aa:bb:cc:01:01:01 srvrgrp1
success: change accepted.
The following command maps SSID
mycorp
to packets received on port 3 or 4, using 802.1Q
tag value 104:
DWS-1008#
set radius proxy port 3-4 tag 104 ssid mycorp
success: change accepted.
Enter a separate command for each SSID, and its tag value, you want the switch to
support.
The following command configures a RADIUS proxy entry for a third-party AP RADIUS
client at 10.20.20.9, sending RADIUS traffic to the default UDP ports 1812 and 1813 on the
DWS-1008 switch:
DWS-1008#
set radius proxy client address 10.20.20.9 key radkey1
success: change accepted.
The IP address is the AP’s IP address. The key is the shared secret configured on the
RADIUS servers. MSS uses the shared secret to authenticate and encrypt RADIUS
communication.
The following command configures a proxy authentication rule that matches on all
usernames associated with SSID
mycorp
. MSS uses RADIUS server group
srvrgrp1
to
proxy RADIUS requests and hence to authenticate and authorize the users.
DWS-1008#
set authentication proxy ssid mycorp ** srvrgrp1
To verify the changes, use the
show config area aaa
command.
Configuring Authentication for Non-802.1X Users of a Third-Party AP
with Tagged SSIDs
To configure MSS to authenticate non-802.1X users of a third-party AP, use the same
commands as those required for 802.1X users. Additionally, when configuring the wired
authentication port, use the
auth-fall-thru
option to change the fallthru authentication type to
last-resort
or
web-portal
.
On the RADIUS server, configure username
web-portal-
ssid
or
last-resort-
ssid
, depending
on the fallthru authentication type you specify for the wired authentication port.