For the switch to communicate with the authentication server, you must configure the IP address,
authentication port, and accounting port of the server on the switch. The authentication server must be
configured with the IP address of the RADIUS client, which is the switch in this case. Both the switch and the
authentication server must be configured to use the same shared secret.
Additional information on EAP types supported in a Windows environment, Microsoft supplicants, and
authentication servers, is available at http://technet.microsoft.com/en-us/library/cc782851
(WS.10).aspx.
The client communicates with the switch through a GRE tunnel to form an association with an AP and to get
authenticated in the network. Therefore, the network authentication and encryption configured for an ESSID
must be the same on both the client and the switch.
Configuring Authentication Terminated on Switch
User authentication is performed either via the switch’s internal database or a non-802.1X server. See 802.1X
Authentication Profile Basic WebUI Parameters on page 263 for an overview of the parameters that you need
to configure on 802.1X authentication components when 802.1X authentication is terminated on the switch
(AAA FastConnect).
Figure 46 802.1X Authentication with Termination on Switch
In this scenario, the supplicant is configured for EAP-Transport Layer Security (TLS) or EAP-Protected EAP
(PEAP).
n EAP-TLS is used with smart card user authentication. A smart card holds a digital certificate which, with the
user-entered personal identification number (PIN), allows the user to be authenticated on the network. EAP-
TLS relies on digital certificates to verify the identities of both the client and the server.
EAP-TLS requires that you import server and certification authority (CA) certificates onto the switch (see
Configuring and Using Certificates with AAA FastConnect on page 267). The client certificate is verified on
the switch (the client certificate must be signed by a known CA) before the username is checked on the
authentication server.
n EAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of the following “inner EAP”
methods is used:
l EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of
unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time
token cards such as SecureID and the use of an LDAP or RADIUS server as the user authentication
server. You can also enable caching of user credentials on the switch as a backup to an external
authentication server.
l EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2): Described in RFC
2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the
backend authentication server.
If you use the switch’s internal database for user authentication, you need to add the names and passwords of
the users to be authenticated. If you use an LDAP server for user authentication, you need to configure both
the LDAP server and the user IDs and passwords on the switch. If you use a RADIUS server for user
authentication, you need to configure the RADIUS server on the switch.
AOS-W 6.5.3.x | User Guide 802.1X Authentication | 261
To Next Page
Loading...