317
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
all EAP processing is offloaded from the RADIUS server, but MS-CHAP-V2 authentication
and authorization are done via a RADIUS server. The MS-CHAP-V2 lookup matches users
against the user list on a RADIUS server. Because the switch requires a certificate for
authentication, a self-signed certificate is shown in this example.
1.
Configure the RADIUS server
r1
at IP address 10.1.1.1 with the string
starry
for the
key. Type the following command:
DWS-1008#
set radius server r1 address 10.1.1.1 key starry
2.
Configure the server group
sg1
with member
r1
. Type the following command:
DWS-1008#
set server group sg1 members r1
3.
Enable all 802.1X users of SSID
thiscorp
using PEAP-MS-CHAP-V2 to authenticate
MS-CHAP-V2 on server group
sg1
. Type the following command:
DWS-1008#
set authentication dot1x ssid thiscorp * peap-mschapv2 sg1
4.
To generate a public-private key pair and a self-signed EAP certificate, type the
following commands:
DWS-1008#
crypto generate key eap 1024
key pair generated
DWS-1008#
crypto generate self-signed eap
Country Name:
US
State Name:
CA
Locality Name:
Campus1
Organizational Name:
Example
Organizational Unit:
IT
Common Name:
SW6
Email Address:
Unstructured Name:
wiring closet 55
5.
Save the configuration:
DWS-1008
save config
success: configuration saved.
Combining EAP Offload with Pass-Through Authentication
The following example illustrates how to enable PEAP-MS-CHAP-V2 offload for the marketing