484 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERSWX Switch Requirements The WX port connected to the third-party AP must be configured as awired authentication port. If SSID traffic from the AP is tagged, thesame VLAN tag value must be used on the wired authentication port. A MAC authentication rule must be configured to authenticate theAP. The WX must be configured as a RADIUS proxy for the AP. The WX isa RADIUS server to the AP but remains a RADIUS client to the realRADIUS servers.The WX system IP address must be the same as the IP address configuredon the VLAN that contains the proxy port. An authentication proxy rule must be configured for the AP’s users.The rule matches based on SSID and username, and selects theauthentication method (a RADIUS server group) for proxying.RADIUS Server Requirements For 802.1X users, the usernames and passwords must be configuredon the RADIUS server. For non-802.1X users of a tagged SSID, the special usernameweb-portal-ssid or last-resort-ssid must be configured, where ssidis the SSID name. The fallthru authentication type (web-portal orlast-resort) specified for the wired authentication port connected tothe AP determines which username you need to configure. For any users of an untagged SSID, the special usernameweb-portal-wired or last-resort-wired must be configured,depending on the fallthru authentication type specified for the wiredauthentication port.ConfiguringAuthentication for802.1X Users of aThird-Party AP withTagged SSIDsTo configure MSS to authenticate 802.1X users of a third-party AP, usethe commands below to do the following: Configure the port connected to the AP as a wired authenticationport. Use the following command:set port type wired-auth port-list [tag tag-list][max-sessions num][auth-fall-thru {last-resort | none | web-portal}]
