Ways An Wss Switch Can Use Eap - Nortel 2300 Series Configuration Manual

416 Configuring AAA for Network Users

Ways an WSS Switch Can Use EAP

Network users with 802.1X support cannot access the network unless they are authenticated. You can configure an WSS
switch to authenticate users with EAP on a group of RADIUS servers and/or in a local user database on the WSS, or to
offload some authentication tasks from the server group.
tion approaches.
(For information about digital certificates, see
Table 29: Three Basic WSS Approaches to EAP Authentication
Approach Description
Pass- An EAP session is established directly between the client and RADIUS server, passing
through through the WSS switch. User information resides on the server. All authentication
information and certificate exchanges pass through the switch or use client certificates issued
by a certificate authority (CA). In this case, the switch does not need a digital certificate,
although the client might.
Local The WSS switch performs all authentication using information in a local user database
configured on the switch, or using a client-supplied certificate. No RADIUS servers are
required. In this case, the switch needs a digital certificate. If you plan to use the EAP with
Transport Layer Security (EAP-TLS) authentication protocol, the clients also need
certificates.
Offload The WSS switch offloads all EAP processing from a RADIUS server by establishing a TLS
session between the switch and the client. In this case, the switch needs a digital certificate. If
you plan to use the EAP-TLS authentication protocol, the clients also need certificates. When
you use offload, RADIUS can still be used for non-EAP authentication and authorization.
320657-A
Table 29 on page 416
"Managing Keys and Certificates," on page
details these three basic WSS authentica-
379.)