Ways A Wss Can Use Eap - Nortel 2360 Configuration Manual

Ways a WSS can use EAP

Network users with 802.1X support cannot access the network unless they are authenticated. You can
configure a WSS to authenticate users with EAP on a group of RADIUS servers and/or in a local user database
on the WSS, or to offload some authentication tasks from the server group.
WSS authentication approaches.
(For information about digital certificates, see
Table 2: Three basic WSS approaches to EAP authentication
Approach Description
Pass- An EAP session is established directly between the client and RADIUS
through server, passing through the WSS. User information resides on the
server. All authentication information and certificate exchanges pass
through the switch or use client certificates issued by a certificate
authority (CA). In this case, the switch does not need a digital
certificate, although the client might.
Local The WSS performs all authentication using information in a local user
database configured on the switch, or using a client-supplied
certificate. No RADIUS servers are required. In this case, the switch
needs a digital certificate. If you plan to use the EAP with Transport
Layer Security (EAP-TLS) authentication protocol, the clients also
need certificates.
Offload The WSS offloads all EAP processing from a RADIUS server by
establishing a TLS session between the switch and the client. In this
case, the switch needs a digital certificate. When you use offload,
RADIUS can still be used for non-EAP authentication and
authorization. EAP-TLS cannot be used with offload.
"Managing keys and certificates" (page
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring AAA for network users 481
Table 2 details these three basic
443).)