Vlans And Users - Nortel 2350 Installation And Basic Configuration Manual

116 Configuring a 2370, 2360, or 2380 Switch for Basic Service
requested), and that uses the Extensible Authentication Protocol (EAP) requested by the NIC. If a
matching rule is found, WSS Software uses the requested EAP to check the RADIUS server group or
local database for the username and password entered by the user. If matching information is found, WSS
Software grants access to the user.
• MAC—If the username does not match an 802.1X authentication rule, but the MAC address of the user's
NIC or Voice-over-IP (VoIP) phone and the SSID (if wireless) do match a MAC authentication rule, WSS
Software checks the RADIUS server group or local database for matching user information. If the MAC
address (and password, if on a RADIUS server) matches, WSS Software grants access. Otherwise, WSS
Software attempts the fallthru authentication type, which can be Web, last-resort, or none.
• Web—A network user attempts to access a web page over the network. The WSS intercepts the HTTP or
HTTPS request and serves a login Web page to the user. The user enters the username and password, and
WSS Software checks the RADIUS server group or local database for matching user information. If the
username and password match, WSS Software redirects the user to the web page she requested.
Otherwise, WSS Software denies access to the user.
• Last-resort—A network user requests access to the network, without entering a username or password.
WSS Software checks for a last-resort authentication rule for the requested SSID (or for wired, if the user
is on a wired authentication port). If a matching rule is found, WSS Software checks the RADIUS server
group or local database for username last-resort-wired (for wired authentication access) or
last-resort-ssid, where ssid is the SSID requested by the user. If the user information is on a RADIUS
server, WSS Software also checks for a password.
Users cannot access the network unless they are authorized. You can configure a WSS to authenticate users
with user information on a group of RADIUS servers or in a local user database on the switch. You also can
configure a switch to offload some authentication tasks from the server group.
• Pass-through—The switch establishes an Extensible Authentication Protocol (EAP) session directly
between the client and RADIUS server. All authentication information and certificate exchanges pass
through the switch. In this case, the switch does not need a certificate.
• Local—The switch performs all authentication with information in a local user database configured on
the switch. No RADIUS servers are required. In this case, the switch needs a certificate. If you plan to use
EAP with Transport Layer Security (EAP-TLS), the clients also need certificates.
• Offload—The switch offloads all EAP processing from a RADIUS server by establishing a TLS session
between the switch and the client. In this case, the switch needs a certificate. If you plan to use the
EAP-TLS authentication protocol, the clients also need certificates.
This section provides examples for configuring Protected EAP with Microsoft Challenge Handshake Authen-
tication Protocol version 2 (PEAP-MS-CHAP-V2) authentication for 802.1X users, in pass-through and
offload configurations. (For information about configuring other authentication types, see the Nortel WLAN
2300 System Software Configuration Guide.)

VLANs and Users

For each user, an attribute must be set in the local database or on a RADIUS server to assign the user to a
VLAN. This is true regardless of the authentication type you use. You can use either of the following attributes
to assign a user to a VLAN:
• Tunnel-Private-Group-ID—This attribute is described in RFC 2868, RADIUS Attributes for Tunnel
Protocol Support.
320656-A